2026-04-10
2026-04-10 14:57Z
INFO

v3.4.0.55

Mythic releases·github.com

Mythic v3.4.0.55 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature/fix information is provided in the GitHub release page.

SRFApplicationVNDMythicTYPTool
15
Edit Score
2026-04-10
2026-04-10 14:16Z
CRIT

CVE-2026-6068 — Nasm Netwide_assembler: contains a heap use after free vulnerability in response file (-@) processing where

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6068

NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or remote code execution. CVSSv3.1 9.6 (CRITICAL) · EPSS 9th percentile

CWECWE 416VNDNasmTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-10
2026-04-10 14:16Z
HIGH

CVE-2026-40217 — LiteLLM: through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40217

LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI. CVSSv3.1 8.8 (HIGH)

CWECWE 420VNDLitellmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 14:16Z
HIGH

CVE-2025-58913 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-58913

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through <= 2.3.8.1. CVSSv3.1 8.1 (HIGH) · EPSS 15th percentile

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 13:42Z
INFO

v3.4.0.54

Mythic releases·github.com

Mythic v3.4.0.54 released with a Dockerfile tag bump to match the release version. No detailed changelog or feature notes are provided in the GitHub release page.

SRFApplicationVNDMythicTYPTool
15
Edit Score
2026-04-10
2026-04-10 13:16Z
CRIT

CVE-2026-5412 — Juju: This allows a low-privileged user to access sensitive credentials.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5412

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21. CVSSv3.1 9.9 (CRITICAL)

CWECWE 285VNDJujuTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-10
2026-04-10 10:16Z
CRIT

CVE-2026-6057 — FalkorDB: Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6057

FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution. CVSSv3.1 9.8 (CRITICAL)

CWECWE 22VNDFalkordbTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-10
2026-04-10 10:16Z
HIGH

CVE-2021-47961 — A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-47961

A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction. CVSSv3.1 8.1 (HIGH)

CWECWE 256TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 07:16Z
CRIT

CVE-2026-6029 — Totolink: The manipulation of the argument User results in os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6029

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-10
2026-04-10 07:16Z
CRIT

CVE-2026-6028 — The manipulation of the argument enable leads to os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6028

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-10
2026-04-10 07:16Z
CRIT

CVE-2026-6027 — Executing a manipulation of the argument enable can lead to os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6027

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-10
2026-04-10 07:16Z
CRIT

CVE-2026-6026 — Performing a manipulation of the argument enable results in os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6026

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setPortalConfWeChat of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument enable results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-10
2026-04-10 07:16Z
CRIT

CVE-2026-1115 — Stored: A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-1115

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, inclu CVSSv3.1 9.6 (CRITICAL)

CWECWE 79VNDStoredTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-10
2026-04-10 06:16Z
CRIT

CVE-2026-6025 — Totolink: Such manipulation of the argument enable leads to os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6025

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-10
2026-04-10 06:16Z
HIGH

CVE-2026-6016 — Tenda: Performing a manipulation of the argument WANS results in stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6016

A vulnerability was found in Tenda AC9 15.03.02.13. The affected element is the function decodePwd of the file /goform/WizardHandle of the component POST Request Handler. Performing a manipulation of the argument WANS results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119VNDTendaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 06:16Z
HIGH

CVE-2026-6015 — Such manipulation of the argument PPPOEPassword leads to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6015

A vulnerability has been found in Tenda AC9 15.03.02.13. Impacted is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. Such manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 05:16Z
HIGH

CVE-2026-6014 — This manipulation of the argument webpage causes buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6014

A flaw has been found in D-Link DIR-513 1.10. This issue affects the function formAdvanceSetup of the file /goform/formAdvanceSetup of the component POST Request Handler. This manipulation of the argument webpage causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer. CVSSv3.1 8.8 (HIGH)

CWECWE 120CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 05:16Z
HIGH

CVE-2026-6013 — The manipulation of the argument curTime results in buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6013

A vulnerability was detected in D-Link DIR-513 1.10. This vulnerability affects the function formSetRoute of the file /goform/formSetRoute of the component POST Request Handler. The manipulation of the argument curTime results in buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. CVSSv3.1 8.8 (HIGH)

CWECWE 120CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 05:16Z
HIGH

CVE-2026-6012 — The manipulation of the argument curTime leads to buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6012

A security vulnerability has been detected in D-Link DIR-513 1.10. This affects the function formSetPassword of the file /goform/formSetPassword of the component POST Request Handler. The manipulation of the argument curTime leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. CVSSv3.1 8.8 (HIGH)

CWECWE 120CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-10
2026-04-10 04:17Z
HIGH

CVE-2026-5501 — Wolfssl Wolfssl: wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5501

wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the functi CVSSv3.1 8.1 (HIGH) · EPSS 7th percentile

CWECWE 295VNDOpensslVNDWolfsslTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 04:17Z
HIGH

CVE-2026-5479 — Wolfssl Wolfssl: In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5479

In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption, the implementation computes or accepts the tag but does not compare it against the expected value. CVSSv3.1 8.1 (HIGH) · EPSS 1th percentile

CWECWE 354VNDWolfsslVNDEvpTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 04:17Z
HIGH

CVE-2026-5466 — Wolfssl Wolfssl: wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5466

wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only publicly-known constants. CVSSv3.1 8.1 (HIGH) · EPSS 1th percentile

CWECWE 347VNDWolfsslVNDEccsiTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 04:17Z
HIGH

CVE-2026-5188 — Wolfssl Wolfssl: This results in incorrect handling of certificate data.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5188

An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation which is off by default. CVSSv3.1 8.1 (HIGH) · EPSS 11th percentile

CWECWE 191VNDWolfsslTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-10
2026-04-10 02:16Z
CRIT

CVE-2026-5997 — Totolink: The manipulation of the argument admpass results in os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5997

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-10
2026-04-10 02:16Z
CRIT

CVE-2026-5996 — The manipulation of the argument tty_server leads to os command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5996

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tty_server leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score